Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:16 AM
Connect Directly

Don't Count Out Active Directory For Cloudy Future

AD isn't going anywhere anytime soon

Because Active Directory (AD) was first developed in an era before SaaS services, some security proponents might make the case that it hasn't adapted well enough and doesn't have the architectural flexibility to future-proof itself within the increasingly cloud- and mobile-centric enterprise.

However, plenty of others out there will tell you not to count out AD yet. Not only is Microsoft gaining ground at honing AD's cloud capabilities through Windows Azure Active Directory and further refinements of Active Directory Federation Services (ADFS), but AD also is so completely ingrained within the fiber of just about every big enterprise out there that it's not going anywhere anytime soon.

"It will be a while before the dust settles around these [cloud identity providers], and in the near term it's hard to see any one particular play winning," says Scott Crawford, analyst for Enterprise Management Associates. "But you simply can't count out the value of Active Directory and of extending that from the enterprise to third-party services because it is so well-established."

[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]

Active Directory is a good platform for the cloud, says Phil Lieberman, founder of privileged identity management firm Lieberman Software.

"AD can be used in so many ways. Microsoft is already using it for hundreds of millions of users as the basis for all of its cloud-based services, so scalability isn't an issue," Lieberman says. "It's just a place to store stuff about identities and information about what they can do. Out of the box it ties all of the Microsoft stuff together, but there was never a restriction that said you couldn't use it for something else."

For example, you can change the schema and you can plug in another authenticator, he says.

"It just uses Kerberos, but if you want to use something else or federate with something else, you can absolutely do that," Lieberman says.

With respect to federation, Jackson Shaw, senior director of identity management for Quest Software, a Dell company, says that too many cloud IAM providers with a clear agenda have overblown ADFS pain points to make it a bit of a four-letter word. But he believes that there's another four-letter word that IT buyers should use against these vendors: free.

"One of the basic problems with ADFS that is overblown is just the fact that a customer will see that it needs to use some sort of a certificate or PKI and will immediately go 'deer in the headlights,'" he says. "But the fact of the matter is any product that uses federation requires a certificate."

So even though the free product will cost money, the truth is that deployment headaches won't go away altogether. Shaw suggests customers use this fact to their advantage, even if they don't choose to use ADFS.

"Free doesn't necessarily mean 'free,' but it can also be used by customers as a bargaining chip when they're buying software," he says. "A customer who's smart about things and is educated a little bit can have that discussion -- can save themselves some money even when they know that they don't want ADFS or can't use it."

However, organizations should give the technology a chance, Shaw says. Though ADFS did face its share of early-generation roughness, Microsoft has been working the kinks out.

"Microsoft gets things right after the third or fourth try. They've got the staying power to have that runway to perfect things before they take off," he says. "I think you can see that with some of the work they've done around integrating an on-premise directory with Office 365, they're starting to sharpen their pencil."

Besides, Lieberman says, it would be somewhat disingenuous to say slow uptake of ADFS is failing on behalf of Microsoft's part. He believes the question shouldn't be so much about why ADFS has not had tremendous uptake in the years it has been out, but instead why federation itself hasn't taken root in the enterprise.

"Federation is rare in the enterprise today," he says. "ADFS is an enabler for federation. Of course, it's like a gym membership. You can buy it, but it doesn't mean you're going to go there."

In the end, the toughest nuts to crack around IAM deployments in the cloud, around single sign-on, and around federation really have nothing to do with AD or any individual technology. It all boils down to the underlying business processes these technologies are meant to facilitate.

"Deployment to integrate identity management with these services is more than just connecting the dots through federation," Crawford says. "There's user management and provisioning, there's access management on the part of the target service, and then there's the granularity of access management."

But where things go wrong when putting all of these pieces together is that the IT departments don't understand the business processes they'll be built around to set up a successful deployment. And there's just no technology to solve that problem.

"For a long time one of the biggest issues the systems integrators faced is that you have to understand how the organization's business process work to know what privileges would be correct," he says. "A lot of times the customer didn't understand that themselves. So what started out as an identity management deployment often wound up being a business process management consulting engagement."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...